GDPR and Research Data Management

An introduction to the General Data Protection Regulation (GDPR) and its implications for research data management. Presentation given by Tim Rodgers of Imperial College London at the London Area Research Data meeting, held at the London School of Hygiene & Tropical Medicine on 17th Nov 2017.

4.
Sanctions
• Isn’t (and has never been) just about loss of data
• For controllers and processors
• Two bands of fine – 2%/€10m or 4%/€20m which ever is greater
4% can apply to processing without consent, violating principles of privacy by
design, unlawful cross-border data transfers, violation of data subject rights
2% can apply for not having records of processing in order, not notifying ICO or
data subject of a breach, or not conducting an impact assessment
15/01/20184

5.
Data protection safeguards
“To implement appropriate technical and organisational measures”
These safeguards should be appropriate to the degree of risk associated and
might include :
- pseudonymisation and/or encryption of personal data
- ensuring ongoing CIA and resillience
- restoring availability of and access to data in a timely manner following incident
- introduce regular testing and evaluation of these systems
15/01/20185

6.
Privacy by Design
• Essential an organisation ‘shows its working’
• DP concerns should be weaved into the design of all procedures, projects,
systems
• Good DP compliance by default
• PIAs required for new activities and undertakings
• Especially for new activities and undertakings
• Does this, or should this stand part of ethics work for research?
15/01/20186

7.
Consent
• Where required it must be :
Any freely given, specific, informed and unambiguous indication of his or
her wishes by which the data subject, either by statement or by a clear
affirmative action, signifies agreement to personal data relating to them
being processed
Organisations need to be able to show how and when consent was obtained.
Not necessarily explicit, but relating to data obtained for specific, explicit and
legitimate purposes.
Individuals must be able to withdraw consent and have a right to be forgotten
(subject to qualification)
15/01/20187

8.
Rights for data subjects
• To be informed – for privacy notices to be more robust and transparent
• To have explained purposes & conditions of processing, intended retention,
right
• To erasure
• To data portability
• To restriction
• To rectification
• To access
• To object
• To prevent automated processing
15/01/20188

10.
Privacy and Innovation
• Obvious main thrust of GDPR – to bolster privacy rights
• BUT ALSO…
• Harmonising legislation
• Exemptions for scientific, historical and health research
Aim to create a Digital Single Market…

11.
Key articles and recitals
• Recital 159 – broad definition of research
• Article 6(4), Recital 50 – organisations processing personal data for research
purposes may avoid restrictions on secondary processing and on processing
sensitive categories of data.
• Article 89 – as long as there are safeguards, organisations may override a
data subjects right to objet to processing and seek erasure of personal data
• Article 6(1)(f), Recitals 47, 157. Organisations to process personal data for
research purposes without the consent of a data subject
• Article 49(h), Recital 113 – for some processing personal data can be
transferred to third countries for research purposes without any other transfer
mechanism in place.
12

12.
Research as a basis for processing
• Article 6(1) outlines lawful bases for processing
• Article 6(4) allows data obtained through a lawful basis to be used for a
secondary research purpose.
• Research not a lawful basis in itself, but could be regarded as a legitimate
interest (Article 6(1)(f))
• What if you get consent, but are not clear at the time of collection about the
research? (Recital 33). Article 6(4) talks about purposes that are compatible
• Indeed Article 89 confirms that research in the public interest, for scientific or
historical research purposes would not be considered incompatible – subject
to safeguards set out in the same article
15/01/201813

13.
Research as a purpose
• Controllers may process personal data, without consent, when “processing is
necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subject” (Article
6(1)(f)).
Recital 47 discusses this further, based on the reasonable expectations of the
data subject regarding their relationship with the data controller
Recital 157 identifies benefits of personal data research
Remember that legitimate interests requires balance test (against data subject
rights)
15/01/201814

15.
Other considerations
• Article 12(1) – Need to inform data subjects of what’s happening to their data
• This should be provided to the data subject at the first contact, and then
updated as purposes are added
• Being explicit and upfront on research might be difficult if research purposes
are not initially known
• Where data obtained from public source there is no need to notify if it would
require disproportionate effort (Recital 62)
15/01/201816

16.
Data Subject Rights
• Article 17 discusses the right of erasure when consent is withdrawn, or the
data subject ob However under 17(3)(d) there is no need to accede to that
request if it impairs the achievement of research objectives
• Article 21 discusses the right to object to processing 21(6) says that objection
can be dismissed if there is a wider public interest – though this needs to
consider nation state law (Recital 45)
• All data subject rights can be subject to derogation
• Any derogations applies (under Article 89(2)) need to be proportionate and
regarded as necessary for the fulfilment of [research] purposes
15/01/201817

17.
Transfer to third countries for research
• Article 45(1) prohibits transfer of data outside EU unless there is adequate
protection
• Article 46 expects Binding Corporate Rules to be in place or for there to be
explicit consent so that the data subject knows where their data is going
• Article 49(1) permits transfers “necessary for the purposes of compelling
legitimate interests pursued by the controller which are not overridden by the
interests or rights and freedoms of the data subject”
• This can be onerous, with a real focus on safeguards and including
notification to the ICO of which country the data is being sent to
15/01/201818

18.
Profiling
• Article 35(2) requires a PIA for :“a systematic and extensive evaluation of
personal aspects relating to…persons which is based on automated
processing, including profiling, and on which decisions are based that
produce legal effects concerning the natural person or similarly significantly
affect the…person.”
• Profiling is “any form of automated processing of personal data consisting of
the use of personal data to evaluate certain personal aspects relating to a…
person, in particular to analyse or predict aspects concerning that… person’s
performance at work, economic situation, health, personal preferences,
interests, reliability, behaviour, location or movements” Article 4(4)). Article
22(1) prohibits controllers from subjecting a data subject to a decision “based
solely on automated processing, including profiling,” as a result of processing
sensitive data, as defined in Article 9, except in limited circumstances
15/01/201819

19.
Research sensitive personal data
• Sensitive data can be processed for research – please see Article 9(2)(i)
which says that as long as it’s compliant with Article 89(1) regarding nation
state law then it’s ok
• Recital 52 clarifies that this requires particular safeguards to be in place
• Article 6(4) says data can be used for research as a secondary purpose
(regarded as compatible with the initial purpose that the data was created for)
• Profiling forbidden unless safeguarding in place
15/01/201820

20.
Summary of regulation
Exemptions carved out for researchers :
- Researchers can process data for purposes beyond that for which it was
obtained
- Research can be regarded as a legitimate interest
- Data can be shared with 3rd country subject to safeguards
To benefit from these exemptions, researchers must implement appropriate
safeguards, in keeping with recognized ethical standards, that lower the risks of
research for the rights of individuals.
15/01/201821

22.
DPIA
• All projects/processes require a DPIA – a Data Privacy Impact Assessment
• Being embedded in ICT Project Management methodology
• Looking to establish in other project management approaches (e.g.
Operational Excellence)
• To think, at every stage, about how the privacy of the data subjects is
impacted by the processing of the data.